<security-config>
    <parameters>
        <init-param>
            <param-name>login.url</param-name>
            <param-value>/login.action?os_destination=${originalurl}&amp;permissionViolation=true</param-value>
        </init-param>
        <init-param>
            <param-name>link.login.url</param-name>
            <param-value>/login.action</param-value>
        </init-param>
        <init-param>
            <param-name>cookie.encoding</param-name>
            <param-value>cNf</param-value>
        </init-param>
        <init-param>
            <param-name>login.cookie.key</param-name>
            <param-value>seraph.confluence</param-value>
        </init-param>

        {% if atl_autologin_cookie_age is defined %}
          <init-param>
              <param-name>autologin.cookie.age</param-name>
              <param-value>{{ atl_autologin_cookie_age }}</param-value>
          </init-param>
        {% endif %}

        <!--only basic authentication available-->
        <init-param>
            <param-name>authentication.type</param-name>
            <param-value>os_authType</param-value>
        </init-param>

        <!-- Invalidate session on login to prevent session fixation attack -->
         <init-param>
            <param-name>invalidate.session.on.login</param-name>
            <param-value>true</param-value>
        </init-param>
        <!-- Add names for session attributes that must not be copied to a new session when the old one gets invalidated.
          Currently it is empty (i.e. all attributes will be copied). -->
        <init-param>
            <param-name>invalidate.session.exclude.list</param-name>
            <param-value></param-value>
        </init-param>
    </parameters>

    <rolemapper class="com.atlassian.confluence.security.ConfluenceRoleMapper"/>
    <controller class="com.atlassian.confluence.setup.seraph.ConfluenceSecurityController"/>

    <!-- Default Confluence authenticator, which uses the configured user management for authentication. -->
    <authenticator class="com.atlassian.confluence.user.ConfluenceAuthenticator"/>

    <!-- Custom authenticators appear below. To enable one of them, comment out the default authenticator above and uncomment the one below. -->

    <!-- Authenticator with support for Crowd single-sign on (SSO). -->
    <!-- <authenticator class="com.atlassian.confluence.user.ConfluenceCrowdSSOAuthenticator"/> -->

    <!-- Specialised version of the default authenticator which adds authenticated users to confluence-users if they aren't already a member. -->
    <!-- <authenticator class="com.atlassian.confluence.user.ConfluenceGroupJoiningAuthenticator"/> -->

    <services>
        <service class="com.atlassian.seraph.service.PathService">
            <init-param>
                <param-name>config.file</param-name>
                <param-value>seraph-paths.xml</param-value>
            </init-param>
        </service>
    </services>

    <elevatedsecurityguard class="com.atlassian.confluence.security.seraph.ConfluenceElevatedSecurityGuard"/>

</security-config>
